{"id":"CVE-2025-39899","summary":"mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE\n\nWith CONFIG_HIGHPTE on 32-bit ARM, move_pages_pte() maps PTE pages using\nkmap_local_page(), which requires unmapping in Last-In-First-Out order.\n\nThe current code maps dst_pte first, then src_pte, but unmaps them in the\nsame order (dst_pte, src_pte), violating the LIFO requirement.  This\ncauses the warning in kunmap_local_indexed():\n\n  WARNING: CPU: 0 PID: 604 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c\n  addr \\!= __fix_to_virt(FIX_KMAP_BEGIN + idx)\n\nFix this by reversing the unmap order to respect LIFO ordering.\n\nThis issue follows the same pattern as similar fixes:\n- commit eca6828403b8 (\"crypto: skcipher - fix mismatch between mapping and unmapping order\")\n- commit 8cf57c6df818 (\"nilfs2: eliminate staggered calls to kunmap in nilfs_rename\")\n\nBoth of which addressed the same fundamental requirement that kmap_local\noperations must follow LIFO ordering.","modified":"2026-04-02T12:48:12.186010Z","published":"2025-10-01T07:42:47.100Z","related":["SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39899.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/9614d8bee66387501f48718fa306e17f2aa3f2f3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b051f707018967ea8f697d790a1ed8c443f63812"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bd1ee62759d0bd4d6b909731c076c230ac89d61e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39899.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39899"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"adef440691bab824e39c1b17382322d195e1fab0"},{"fixed":"b051f707018967ea8f697d790a1ed8c443f63812"},{"fixed":"bd1ee62759d0bd4d6b909731c076c230ac89d61e"},{"fixed":"9614d8bee66387501f48718fa306e17f2aa3f2f3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39899.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}